I've personally always thought SANS/GIAC was pretty expensive (at least for those of us that have to pay out-of-pocket for everything). People complained about EC-Council being "money hungry" when their renewal guidelines originally were drafted... and now SANS wants you to pay a $400 maintenance fee (for your first cert, and $200 each additional) in order to renew your certification. Wow...

Doesn't seem bad to me at all. Instead of having to go sit for a test to renew each, I just keep on doing the security related training, writing, teaching, work, etc... that I would normally do anyway. It might work out that things are slightly more expensive, but I can make that work out better than I can having to squeeze in another cert test. I like it

I like it. I take the intensive approach for SANS certifications with a full in index of all the materials and any of the course authors books. This will alleviate that. Also, you get the course materials regardless of how you recertify.

I've had some time to review the changes and gather my thoughts. I appreciate the fact that GIAC/SANS has taken this step. It is a welcome change.

However, I think there may be a lack of inexpensive options for recertification. SANS is keeping you "in the family" because they are requiring you advance SANS and attend their training courses.

It appears the three main ways to maintain your certification is to attend live training ($4k+), write a gold paper ($300), or retake the test ($300) on top of the cost to recertify ($300). While they have options to submit work experience, write test questions, be a facilitator, be a mentor, etc, you cannot make enough credits on your own to recertify. There needs to be money exchanged with SANS or another training provider (which GIAC will approve or not).

It just seems like there should be more options to give back, without having to open your wallet beyond the money required to obtain the recert. A lot of times I have to come up with unique methods for training and certification, because my work only pays for so much. I feel that I should be able to give back and recertify by being a mentor, a facilitator, an ISC handler, or write test questions as many times as I want without a cap on how many credits I receive for each.

I also wish there was not the two year restriction to start your "recertification". For example, I just obtained my GCIH last year and I am going to be facilitating next week. My facilitating won't count towards my recertification unless I do it in another year and a half.

I agree with you 100%, especially after reading the FAQ's for this new renewal policy:

I took the 6-day SANS course SEC560 and my GSEC and GCIH certifications are up for renewal in 2010. Can I apply the 36 CMU’s to both certification renewals? Can I at least split the 36 CMU’s between the two?

No. Any CMU’s earned can only be applied to one certification. Additionally, you may not split CMU’s between two certification renewals.

Do I obtain CMUs for earning another certification?

No. Earning or holding another certification does will not renew your current certification. You can, however, apply the associated training course if you completed it, as long as you have not taken that course in the past.

This tells me that even if I try to get my CMU's from other sources rather than attend training from SANS, if I have more than one certification then I can only apply the CMU towards one of my renewal's and not both. This is oviously a way to make more money.

I'm with itg33k. If we're reading these correctly, you have to do more maintenance training to update additional certs. This is patently dumb. I agree with the position that holding one cert doesn't automatically renew another, but we need to do something with the idea that taking a course can't count as continuing education for more than one certification. I can apply the hours to one GIAC cert and my CISSP... Why not two GIAC certs?

BTW, I'm not GIAC certified because I pay for everything out of pocket and the cost/benefit wasn't there for me in my current position. I'd probably change my thinking a little if I were job hunting.

As someone that pays for most of my own training, I'd like it to be a cheap as possible too. Here's the but.

Pretty much every course I've taken has re-cert requirement. I can't say that $400 dollars is massively unfair. Yes, I'd like it to be less, given that the SANS' $400 fees for 4 years includes getting the current books and audio, that's better than my CISSP which I get access to a web site for at $85 a year.

SANS training does cost a lot of money, but it's worth it or they'd be out of business. Market forces and all that.

As for the CMU lack of flexibility, I'm guess that the CMU's are hard to managed and track, that's why mixing and swapping between different certs is not an option.

This may be another reason to take the GSE and only have take one exam to cover all the SANS re-certs in one go.